Re: Rule for: Subject contains email address from To: header?

Tue, 12 May 2026 07:38:29 -0700 

On 5/12/26 4:22 PM, Benoit Panizzon wrote:

Hi Matija


So no matter how spamassassin is called, in both cases IMHO it should
get the full text/rfc822 email with header any body and get the same
results.


Agreed. if your mail is indeed in correct format, there are few things that I'd 
check:

- has the MIMEdefang been instructed to reload to pick up new rules?


Absolutely.


- has the reload succeeded, specifically:
   - e.g. file permission problem might have "spamassassin -t" running as root 
succeed, while MIMEdefang running as unprivileged user might fail)


Well, in my understanding, spamassassin only nees read access to rules,
and as 'rules' are applied, this is not a generic issue.

TO_IN_SUBJ rules exist in 72_active.cf and active.list, both are world
readable, so unless I overlooked something weird, I can exclude this.

could it be this SA bug (fixed in trunk) ? 
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=8388

 Giovanni


But I will add a shell to my 'defang' user under which the milter is
running and run spamassassin as this user, just to make sure.


   - syntax error might case MIMEdefang to abort reloading and use old 
configuratin


filter:~# spamassassin --lint
May 12 16:11:45.572 [7633] warn: Found From: 
[email protected]

filter:~# mimedefang.pl -f /etc/mimedefang-filter -test
Prototype mismatch: sub main::message_contains_virus: none vs () at 
/etc/mimedefang-filter line 142.
Prototype mismatch: sub main::entity_contains_virus: none vs ($) at 
/etc/mimedefang-filter line 163.
Found From: [email protected]
Filter /etc/mimedefang-filter seems syntactically correct.

Does not look like severe errors


   - you can check by e.g. adding some other always-hitting rule in same config file and 
see if that one matches in both cases or also only in cmdline "spamassassin -t"
   - also, check the logs that MIMEdefang might produce


MIMEDefang just runs fine and logs what is reported by SpamAssassin.

Example from a recent email which should have hit 'to_in_subject'
(domain replaced by example.com)

From: ADAC <[email protected]>
To: "[email protected]" <[email protected]>
Subject: (1) Ihr kostenloses Auto-Notfallset wartet auf Sie – [email protected]
Date: Tue, 12 May 2026 13:53:41 +0000

Raw:

Subject: (1) Ihr kostenloses Auto-Notfallset wartet auf Sie
  =?utf-8?Q?=E2=80=93?= [email protected]
From: ADAC <[email protected]>
Reply-To: ADAC <[email protected]>
To: "[email protected]" <[email protected]>

MIMEDefang Log:

May 12 15:53:46 filter mimedefang.pl[7537]: 3708D3F925: SpamAssassin: 
BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,HTML_FONT_LOW_CONTRAST,HTML_MESSAGE,SNCH_OVH,SPF_HELO_NONE,SPF_PASS
May 12 15:53:46 filter mimedefang.pl[7537]: 3708D3F925: 
MDLOG,3708D3F925,mail_in,2.901,51.83.129.130,<[email protected]>,<[email protected]>,(1)
 Ihr kostenloses Auto-Notfallset wartet auf Sie – [email protected]

I have MIMEDefang put the full report into the headers:

X-Spam-Report: ---- Start der SpamAssassin Auswertung
         0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
        -0.0 SPF_PASS               SPF: sender matches SPF record
        -0.1 DKIM_VALID_AU          Message has a valid DKIM or DK signature 
from author's
                                    domain
         0.1 DKIM_SIGNED            Message has a DKIM or DK signature, not 
necessarily valid
        -0.1 DKIM_VALID_EF          Message has a valid DKIM or DK signature 
from
                                    envelope-from domain
        -0.1 DKIM_VALID             Message has at least one valid DKIM or DK 
signature
        -1.9 BAYES_00               BODY: Bayes spam probability is 0 to 1%
                                    [score: 0.0004]
         0.0 HTML_MESSAGE           BODY: HTML included in message
         0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or identical 
to
                                    background
        -0.0 DMARC_PASS             DMARC pass policy
         5.0 SNCH_OVH               Sent from OVH France
                                    [ASN: AS16276]
        ---- Ende der SpamAssassin Auswertung

Ok while we were at it - added bash to 'defang' user:

filter:~# su - defang
defang@filter:~$
defang@filter:~$ pwd
/var/spool/MIMEDefang

looks right

defang@filter:~$ spamassassin -D -t
May 12 16:18:49.871 [7701] dbg: logger: adding facilities: all
May 12 16:18:49.871 [7701] dbg: logger: logging level is DBG
May 12 16:18:49.872 [7701] dbg: generic: SpamAssassin version 4.0.1
May 12 16:18:49.872 [7701] dbg: generic: Perl 5.040001, PREFIX=/usr, 
DEF_RULES_DIR=/usr/share/spamassassin, LOCAL_RULES_DIR=/etc/spamassassin, 
LOCAL_STATE_DIR=/var/lib/spamassassin
May 12 16:18:49.872 [7701] dbg: config: timing enabled
May 12 16:18:49.873 [7701] dbg: config: score set 0 chosen.
May 12 16:18:49.874 [7701] dbg: util: running in taint mode? yes
May 12 16:18:49.874 [7701] dbg: util: taint mode: deleting unsafe environment 
variables, resetting PATH
May 12 16:18:49.874 [7701] dbg: util: PATH included '/usr/local/bin', keeping
May 12 16:18:49.874 [7701] dbg: util: PATH included '/usr/bin', keeping
May 12 16:18:49.874 [7701] dbg: util: PATH included '/bin', keeping
May 12 16:18:49.875 [7701] dbg: util: PATH included '/usr/local/games', keeping
May 12 16:18:49.875 [7701] dbg: util: PATH included '/usr/games', keeping
May 12 16:18:49.875 [7701] dbg: util: final PATH set to: 
/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
May 12 16:18:49.878 [7701] dbg: util: secure_tmpfile created a temporary file 
/tmp/.spamassassin7701fzBpKXtmp

=> pasting raw email - ctrl-d

---- Start der SpamAssassin Auswertung
  0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
  0.0 SPF_FAIL               SPF: Senderechner entspricht nicht SPF-Datensatz 
(fail)
                             [SPF failed: Rejected by SPF record.]
-0.1 DKIM_VALID             Message has at least one valid DKIM or DK signature
-0.1 DKIM_VALID_AU          Message has a valid DKIM or DK signature from 
author's
                             domain
  0.1 DKIM_SIGNED            Message has a DKIM or DK signature, not 
necessarily valid
-1.9 BAYES_00               BODY: Spamwahrscheinlichkeit nach Bayes-Test: 0-1%
                             [score: 0.0002]
  1.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail
                             domains are different
  5.0 SNCH_OVH               Sent from OVH France
                             [ASN: AS16276]
  0.0 HTML_MESSAGE           BODY: Nachricht enth�lt HTML
  0.0 HTML_FONT_LOW_CONTRAST BODY: HTML-Schriftfarbe �hnlich der
                             Hintergrundfarbe
  1.0 TO_IN_SUBJ             To address is in Subject
-0.0 DMARC_PASS             DMARC pass policy

---- Ende der SpamAssassin Auswertung

So even when running with the same use as MIMEdefang is running
spamassassin, I only get a TO_IN_SUBJ hin when running from command
line.
Am I getting crazy? ;-)

=> Hmm same issue with: HEADER_FROM_DIFFERENT_DOMAINS

Mit freundlichen Grüssen

-Benoît Panizzon-

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature

Reply via email to